Protecting Your Network From The Inside-Out
WHITE PAPERProtecting Your NetworkFrom the Inside-OutInternal Segmentation Firewall (ISFW)
Table of ContentsSummary.2Advanced Threats Take Advantage of the “Flat Internal” Network.3The Answer is a New Class of Firewall – Internal Segmentation Firewall.4ISFW Technology Requirements.6Conclusion.8SummaryFor the last decade organizations have been trying to protecttheir networks by building defenses across the borders of theirnetwork. This includes the Internet edge, perimeter, endpoint,and data center (including the DMZ). This ‘outside-in’ approachhas been based on the concept that companies can controlclearly defined points of entry and secure their valuable assets.The strategy was to build a border defense as strong as possibleand assume nothing got past the firewall.As organizations grow and embrace the latest IT technology such as Mobility andCloud the traditional network boundaries are becoming increasingly complex to controland secure. There are now many different ways into an enterprise network.Not long ago, firewall vendors marked the ports on their appliances ‘External’(Untrusted) and ‘Internal’ (Trusted). However, advanced threats use this to theiradvantage because, once inside, the network is very flat and open. The inside of thenetwork usually consists of non-security aware devices such as switches, routers andeven bridges. So once you gain access to the network as a hacker, contractor or evenrogue employee, then you get free access to the entire enterprise network including allthe valuable assets.Key RequirementsnnnnCOMPLETE PROTECTION –Continuous inside-out protectionagainst advanced threats with asingle security infrastructurePOLICY-DRIVENTo better control andcompartmentalize users and limitthreat vectors access to sensitiveresourcesEASY DEPLOYMENT –Default Transparent Mode meansno need to re-architect thenetwork and centrally deployedand ManagedHIGH PERFORMANCE –Multi-gigabit performance supportswire speed East-West trafficThe solution is a new class of firewall – Internal Segmentation Firewall (ISFW), thatsits at strategic points of the internal network. It may sit in front of specific serversthat contain valuable intellectual property or a set of user devices or web applicationssitting in the cloud.2www.fortinet.com
WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)Once in place, the ISFW must provide instant “visibility” totraffic traversing into and out of that specific network asset.This visibility is needed instantly, without months of networkplanning and deployment.Most importantly the ISFW must also provide “protection”because detection is only a part of the solution. Siftingthrough logs and alerts can take weeks or months; theISFW needs to deliver proactive segmentation and real-timeprotection based on the latest security updates.Finally, the ISFW must be flexible enough to be placedanywhere within the internal network and integrate with otherparts of the enterprise security solution under a single paneof management glass. Other security solutions can alsoprovide additional visibility and protection. This includes theemail gateway, web gateway, border firewalls, cloud firewallsand endpoints. Further, Internal Segmentation Firewalls needto scale from low to high throughputs allowing deploymentacross the global network.Advanced Threats Take Advantageof the “Flat Internal” NetworkCybercriminals are creating customized attacks to evadetraditional defenses, and once inside, to avoid detection andenable egress of valuable data. Once inside the network thereare few systems in place to detect or better still protectagainst APTs.It can be seen from the threat life cycle in Figure 1 that oncethe perimeter border is penetrated, the majority of the activitytakes place inside the boundary of the network. Activitiesinclude disabling any agent-based security, updates from thebotnet command and control system, additional infection/recruitment and extraction of the targeted assets.FIGURE 1 – ADVANCED THREAT LIFE CYCLEExternalScan for vulnerabilitiesDesign phishing emailsCustomize malware, etc.1Social EngineeringZero Days ExploitsMalicious URLsMalicious Apps, moreInfectionThreat VectorThreat Production ReconAPP4ExtractionPackage &Encrypt StageDisposalInternal2URLCommunication3Hide, Spread,Disarm, Access,Contact Botnet C&C,Update3
WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)The Answer is a New Class of Firewall –Internal Segmentation Firewall (ISFW)Most firewall development over the past decade has beenfocused on the border, the Internet edge, perimeter (hostfirewall), endpoint, data center (DMZ) or the cloud. Thisstarted with the stateful firewall but has evolved to includeUnified Threat Management (UTM) for distributed networks,which brought together the firewall, intrusion detection andantivirus. Later came the Next Generation Firewall (NGFW),which included intrusion prevention, and application controlfor the Internet edge. More recently because of the hugeincrease in speeds, Data Center Firewalls (DCFW) havearrived to provide more than 100Gbps of throughput. All ofthese firewalls have in common an approach designed toprotect from the “outside-in.”Foundation of ISFWEnterprises should deploy ISFW with next generationfunctionalities in strategic points within the internal network,adding an additional security layer to provide the followingsecurity benefits:n Control access to critical resources/assets as close aspossible to the user via policy-driven segmentation.n Establish security barriers to stop and limit the uncontrolledspread of threats and hackers activity within the internalnetwork via the implementation of advanced securitymechanisms.n Limit the potential damage of threats inside the perimeter.n Increase threat visibility and enhance breach discovery andmitigation.n Strengthen the enterprise’s overall security posture.For rapid internal deployment and protection, a new class offirewall is required – Internal Segmentation Firewall (ISFW).The Internal Segmentation Firewall has some differentcharacteristics when compared to a border firewall. Thedifferences are laid out in figure 2.Deployment ModeISFWNGFWDCFWUTMCCFWPurposeVisibility & protectionfor internal segmentsVisibility & protection against externalthreats and internetactivitiesHigh performance,lowlatency networkaprotectionVisibility & protection against externalthreats and useractivitiesNetwork security forService ProvidersLocationAccess LayerInternet GatewayCore Layer/DCGatewayInternet GatewayVariousNAT/Route ModeNAT/Route ModeNAT/Route ModeNAT/Route ModeNetwork Operation Mode Transparent ModeHardware RequirementsHigher port density to GbE and 10GbE ports High speed (GbE/10protect multiple assetsGbE/40 GbE/100) &high port density,hardware accelerationSecurity ComponentsFirewall, IPS, ATP,Application Control(User-based) Firewall,VPN, IPS, ApplicationControlFirewall, DDoS protec- Comprehensive andtionextensible, client anddevice integrationFirewall, CGN, LTE& mobile securityOther CharacteristicsRapid Deployment– near zero configurationIntegration withAdvanced ThreatProtection (Sandbox)High AvailabilityHigh AvailabilityHigh GbE port density, High speed (GbE/10GbE/40 GbE) &integrated wirelessconnectivity and POE high port density,hardware accelerationDifferent WANConnectivity Optionssuch as 3G4GFIGURE 2 – FIREWALL TYPE DIFFERENCES4www.fortinet.com
WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)The ISFW needs to provide policy-drivensegmentationPolicy – driven segmentation enables better control andcompartmentalization of user’s access to applicationsand resources via the association of the user’s identitywith specific security policies enforcement. Policy-basedsegmentation can limit potential attack vectors and threatsvehicled by the user.Policy-based segmentation can be defined as the automaticassociation of user’s identity and the enforced security policy.A user’s identity may be defined as a set of attributes, suchas physical location, the type of device used to access thenetwork, the application used, etc. As the user’s identitymay change dynamically, the enforced security policy mustdynamically and automatically follow the user’s identity.In order to achieve the required user identification and theoverall parameters needed to create and enforce granularsecurity policies, ISFW must be able to:1. Allow user, device and application identification2. Provide integration with directory services solutions toidentify user’s identity3. Dynamically map a user’s identity to a specific securitypolicy and enforcementThe ISFW needs to provide complete protectionThe first element of security is visibility. And visibility is onlyas good as network packet knowledge. What does a packetstream look like for a specific application, where did it comefrom, where is it going, even what actions are being taken(download, upload ).The second and equally important element is protection. Isthe application, content or actions malicious? Should thistype of traffic be communicating from this set of assetsto another set of assets? While this is very difficult acrossdifferent content and application types, it is an essential partof the ISFW. The ability to detect a malicious file, applicationor exploit gives an enterprise time to react and contain thethreat. All of these protection elements must be on a singledevice to be effective.The ISFW needs to provide easy deploymentThe ISFW must be easy to deploy and manage. Keepingit simple for IT means being able to deploy with minimumconfiguration requirements and without having to re-architectthe existing network.The ISFW must also be able to protect different types ofinternal assets placed at different parts of the network. Itcould be a set of servers containing valuable customerinformation or a set of endpoint devices that may not be ableto be updated with the latest security protection.Additionally the ISFW must be able to integrate with otherparts of the enterprise security solution. Other securitysolutions can also provide additional visibility and protection.This includes the email gateway, web gateway, borderfirewalls, cloud firewalls and endpoints. This all needs to bemanaged with a ‘single pane of glass’ approach. This allowssecurity policies to be consistent at the border, inside thenetwork and even outside the network in clouds.Additionally, traditional firewalls are usually deployed in routingmode. Interfaces (ports) are well defined with IP addresses.This often takes months of planning and deployment. This isvaluable time in today’s instant cyber attack world. An ISFWcan be deployed in the network rapidly and with minimumdisruption. It must be as simple as powering on a deviceand connecting. It must be transparent to the network andapplication.The ISFW needs to provide wire-speed performanceBecause internal segmentation firewalls are deployed in-linefor network zoning, they must be very high performance inorder to meet the demands of internal or “East/West” traffic,and to ensure they do not become a bottleneck at thesecritical points. Unlike firewalls at the border which deal withWide Area Network (WAN) access or Internet speeds ofless than 1 gigabit per second, internal networks run muchfaster – multi-gigabit speeds. There, ISFWs need to operateat multi-gigabit speeds and be able to provide deep packet/connect inspection without slowing down the network.Both visibility and protection are heavily reliant on a realtime central security threat intelligence service. A questionthat always needs to posed – how good is the visibility andprotection. Is it keeping up with the latest threats? That’s whyall security services should be measured on a constant basiswith 3rd party test and certification services.5
WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)ISFW Technology RequirementsA Scalable Hardware ArchitectureBecause internal networks run at much higher speedsthe ISFW needs to be architected for multi-gigabit protectionthroughput. Although CPU-only based architectures areflexible they become bottlenecks when high throughputis required. The superior architecture still uses a CPU forflexibility but adds custom ASICs to accelerate network trafficand content inspection.A Flexible Network Operating SystemAlmost all firewall “deployments modes” require IP allocationand reconfiguration of the network. This is known as networkrouting deployment and provides traffic visibility and threatprevention capabilities. At the other end of the spectrumis sniffer mode, which is easier to configure and providesvisibility, but does not provide protection.Because the ISFW is deployed in closer proximity to the dataand devices, it may sometimes need to cope with harsherenvironments. Availability of a more ruggedized form factor istherefore another requirement of ISFWs.Transparent mode combines the advantages of NetworkRouting and Sniffer modes – it provides rapid deployment andvisibility plus, more importantly, protection. The differences aresummarized in Figure NetworkFunctionsHighTrafficAvailability VisibilityThreatProtectionHighL3-Routing 444TransparentLowL2-Bridge444SnifferLowXX4XFIGURE 3 – FIREWALL TYPE DIFFERENCESCLOUDINTERNALApplicationsData CenterCampusINTERNALVirtual ISFWISFWEdgeFirewall(NGFW)Data ISFWUnifiedThreatManagement(UTM)INTERNALFIGURE 4 – Internal Segmentation Firewall(ISFW) DEPLOYMENT6www.fortinet.com
WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)Network Segmentation –High Speed Integrated SwitchingAn evolving aspect of transparent mode is the ability tophysically separate subnetworks and servers via a switch.Firewalls are starting to appear on the market with fullyfunctional, integrated switches within the appliance. Thesenew firewalls, with many 10GbE port interfaces, become anideal data center ‘top-of-rack’ solution, allowing servers to bephysically and virtually secured. Also, similar switch-integratedfirewalls with a high density of 1GbE port interfaces becomeideal for separation of LAN subsegments. ISFWs should beable to fulfill both of these roles, and as such should ideallyhave fully functional, integrated switching capabilities.Real-time SecurityInternal Segmentation Firewalls must be able to deliver afull spectrum of advanced security services, including IPS,application visibility, antivirus, anti-spam, and integration withcloud-based sandboxing, allowing for the enforcement ofpolicies that complement standard border firewalls. This realtime visibility and protection is critical to limiting the spread ofmalware inside the network.Network Wide ISFW Deployment ExampleMost companies have set up border protection with firewalls,NGFWs and UTMs. These are still critical parts of the networkprotection. However to increase the security posture, InternalSegmentation Firewalls can be placed strategically internally.This could be a specific set of endpoints where it is hardto update security or servers where intellectual property isstored.Segment ISFW Deployment ExampleTo InternetDISTRIBUTION/CORE LAYERCore/Distribution SwitchAccess Switch / VLANLOCAL SERVERSnFortiGate wireintercept usingtransparentport pairnHigh speedinterfaceconnectivitynIPS, ATP &App ControlUSER NETWORKDEVICESACCESS LAYERFIGURE 5 –INTERNAL SEGMENTATION FIREWAL (ISFW) DEPLOYMENTEnhancing Advanced ThreatProtection with Internal VisibilityA proper approach to mitigating advanced threats shouldinclude a continuous cycle of Prevention, Detection, andMitigation. Very typically a Next-Generation Firewall wouldserve as a key foundation of the Prevention component,enabling L2/L3 firewall, intrusion prevention, applicationcontrol and more to block known threats, while passinghigh-risk unknown items to a sandbox for Detection. But withNGFW’s deployed traditionally at the network edge, this onlyprovides partial visibility into the attack life cycle by primarilyobserving ingress and egress activity.The ISFW is usually deployed in the access layer and protectsa specific set of assets. Initially the deployment is transparentbetween the distribution and access switches. Longer termthe integrated switching could take the place of the accessand distribution switch and provide additional physicalprotection.FIGURE 6 – ADVANCED THREAT PROTECTION (ATP) FRAMEWORK7
WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW)Deployment of an ISFW can provide more complete visibilityinto the additional internal activity of the hackers once they’vecompromised the edge. Lateral movement can account fora significant portion of the malicious activity as the hackerstry to identify valuable assets and extract data, and having acomplete picture of both internal and edge activity enhancesall phases of a complete ATP framework. With internalnetwork traffic often being several times the bandwidth ofedge traffic, an ISFW can provide many more opportunitiesto limit the spread of the compromise from known techniquesand more high-risk items to be passed to sandboxes fordeeper inspection.ConclusionAdvanced Threats are taking advantage of the flat Internalnetwork. Once through the border defense there is little tostop their spread and eventual extraction of valuable targetedassets. Because traditional firewalls have been architected toslower speeds of the Internet Edge its hard to deploy thesesecurity devices internally. And firewall network configurationdeployments (IP addresses) take a long time to deploy.Internal Segmentation Firewalls are a new class of firewallthat can be deployed rapidly with minimum disruption whilekeeping up the multi-gigabit speeds of internal networks.Instant visibility and protection can be applied to specificparts of the internal network.GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: 1.408.235.7700www.fortinet.com/salesEMEA SALES OFFICE120 rue Albert Caquot06560, Sophia Antipolis,FranceTel: 33.4.8987.0510APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: 65.6513.3730LATIN AMERICA SALES OFFICEPaseo de la Reforma 412 piso 16Col. JuarezC.P. 06600México D.F.Tel: 011-52-(55) 5524-8428Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or commonlaw trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performanceand other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whetherexpress or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identifiedperformance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the sameideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise thispublication without notice, and the most current version of the publication shall be applicable. October 16, 2015 6:15 PM X:\01 BROCHURES\02 WHITEPAPERS\WhitePaper-ISFW Out A
The Answer is a New Class of Firewall - Internal Segmentation Firewall (ISFW) Most firewall development over the past decade has been focused on the border, the Internet edge, perimeter (host firewall), endpoint, data center (DMZ) or the cloud. This started with the stateful firewall but has evolved to include
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.
